Adds LDAP auth support

backend/internal/api/handler/users.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"encoding/json"
 	"net/http"
+	"time"
 
 	c "npm/internal/api/context"
 	h "npm/internal/api/http"
@@ -17,6 +18,13 @@ import (
 	"gorm.io/gorm"
 )
 
+type setAuthModel struct {
+	// The json tags are required, as the change password form decodes into this object
+	Type          string `json:"type"`
+	Secret        string `json:"secret"`
+	CurrentSecret string `json:"current_secret"`
+}
+
 // GetUsers returns all users
 // Route: GET /users
 func GetUsers() func(http.ResponseWriter, *http.Request) {
@@ -188,7 +196,7 @@ func CreateUser() func(http.ResponseWriter, *http.Request) {
 		// newUser has been saved, now save their auth
 		if newUser.Auth.Secret != "" && newUser.Auth.ID == 0 {
 			newUser.Auth.UserID = newUser.ID
-			if newUser.Auth.Type == auth.TypePassword {
+			if newUser.Auth.Type == auth.TypeLocal {
 				err = newUser.Auth.SetPassword(newUser.Auth.Secret)
 				if err != nil {
 					logger.Error("SetPasswordError", err)
@@ -247,3 +255,79 @@ func getUserIDFromRequest(r *http.Request) (uint, bool, error) {
 	}
 	return userID, self, nil
 }
+
+// SetAuth sets a auth method. This can be used for "me" and `2` for example
+// Route: POST /users/:userID/auth
+func SetAuth() func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		bodyBytes, _ := r.Context().Value(c.BodyCtxKey).([]byte)
+
+		var newAuth setAuthModel
+		err := json.Unmarshal(bodyBytes, &newAuth)
+		if err != nil {
+			h.ResultErrorJSON(w, r, http.StatusBadRequest, h.ErrInvalidPayload.Error(), nil)
+			return
+		}
+
+		userID, isSelf, userIDErr := getUserIDFromRequest(r)
+		if userIDErr != nil {
+			h.ResultErrorJSON(w, r, http.StatusBadRequest, userIDErr.Error(), nil)
+			return
+		}
+
+		// Load user
+		thisUser, thisUserErr := user.GetByID(userID)
+		if thisUserErr == gorm.ErrRecordNotFound {
+			h.NotFound(w, r)
+			return
+		} else if thisUserErr != nil {
+			h.ResultErrorJSON(w, r, http.StatusBadRequest, thisUserErr.Error(), nil)
+			return
+		}
+
+		if thisUser.IsSystem {
+			h.ResultErrorJSON(w, r, http.StatusBadRequest, "Cannot set password for system user", nil)
+			return
+		}
+
+		// Load existing auth for user
+		userAuth, userAuthErr := auth.GetByUserIDType(userID, newAuth.Type)
+		if userAuthErr != nil {
+			h.ResultErrorJSON(w, r, http.StatusBadRequest, userAuthErr.Error(), nil)
+			return
+		}
+
+		if isSelf {
+			// confirm that the current_secret given is valid for the one stored in the database
+			validateErr := userAuth.ValidateSecret(newAuth.CurrentSecret)
+			if validateErr != nil {
+				logger.Debug("%s: %s", "Password change: current password was incorrect", validateErr.Error())
+				// Sleep for 1 second to prevent brute force password guessing
+				time.Sleep(time.Second)
+
+				h.ResultErrorJSON(w, r, http.StatusBadRequest, errors.ErrCurrentPasswordInvalid.Error(), nil)
+				return
+			}
+		}
+
+		if newAuth.Type == auth.TypeLocal {
+			err := userAuth.SetPassword(newAuth.Secret)
+			if err != nil {
+				logger.Error("SetPasswordError", err)
+				h.ResultErrorJSON(w, r, http.StatusBadRequest, err.Error(), nil)
+			}
+		}
+
+		if err = userAuth.Save(); err != nil {
+			logger.Error("AuthSaveError", err)
+			h.ResultErrorJSON(w, r, http.StatusInternalServerError, "Unable to save Authentication for User", nil)
+			return
+		}
+
+		userAuth.Secret = ""
+
+		// todo: add to audit-log
+
+		h.ResultResponseJSON(w, r, http.StatusOK, userAuth)
+	}
+}